Over the last days, we've received reports of corporate networks getting infected with various variants of MS08-067 worms. These are mostly Downadup/Conficker variants.

The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked.

We also have a separate tool available to assist in disinfecting. The tool is available from here.

We also recommend system administrators to block access to web sites used by the worm. The sites keep changing, but the current domains to block are:acqggcq.cnadbsq.netakgjmdzx.ccbclaxb.cnbdjtrpaav.ccbdrmppudqh.cnboirczdikw.combpufhbvqwjs.combwocsfviu.netbwtrd.netbxtopike.wsccgdllgwk.infoccolbxdud.comcdbhi.cncffcipqz.bizciopicmfq.infocjeyj.comcrikr.cndbizknbfyv.cndckhrrqh.comdjthknbtxe.ccdkvjxac.infodphxqdpp.cndrykouwoa.comdugnyfnxky.comdwikmnmhx.orgesujw.cneufiwwkplyc.cnevtwdavi.netevuqysnc.ccezkhbz.orgfhchak.orgfhioqvpdpg.infofhoptkn.orgfjxkmq.wsfnmhkizip.wsfnopiz.cnfnxklfyxdy.comgdneutxoi.ccgirirvjy.orggovagjcasyo.cngqjgx.cngwfnepcus.wshbkbc.bizhpmhoassp.orghrmwzqif.comhwmggrmzdsw.bizhxhpc.orgibifq.wsicbabdoo.orgigggellu.wsimaexvlmjn.orgipuuulsw.comitiuuv.cnitzbanmjbds.wsiuqmklmklbw.wsjfqlrlgf.bizjilpumzn.wsjjdifsh.netjnfcmmuhfum.wsjpgflwtu.netjqlmcfmdua.infojqmdyemnd.cnjufwmttx.netjzvpspdcv.cnkbrlxkiohfb.orgkcawyfgl.wskkvugfb.bizknpfuq.ccktveyekd.cnkuikq.orgkxsmffcsh.bizlejhfcdm.bizleyloenk.cclmcrkcuu.netlrkewik.netlrwnqgoj.bizmemsvr.commiyga.bizmmprans.wsmxvrtq.netnhmgtrmka.orgnmdrr.comnqnmjn.orgnwczso.ccnykyhzap.ccoawtwovet.ccoecsw.netomxzanan.wsovqoluqwhf.orgpakzqankxai.wspnaeydmg.orgpvfivnqgk.cnqauaiepfih.wsqdgvbkpopx.netqhdefcfkqg.ccqtjumbvk.wsquvjfczmd.netqvuycgw.netqwwnsrgii.cnqxdzbtgok.orgrcoesjhoii.inforrtvw.orgsedueat.ccsiirkijx.cnsjarftss.bizsnytwwp.ccsrfvt.comsrtbuvesjmy.orgthzydzvunfk.biztlxzjjlmk.orgtmegbpwamyr.wstnaqhezhswk.biztsamlnes.cctxibddqtpuj.ccudthrjtx.ccudyxa.infouikrzcuzw.comuuuwlcpzi.cnvbvvhgs.netvfdjkunysp.cnvhegpqfiga.ccvlfgk.infovrfouwsk.netvuvjptke.orgvxuiwtpqc.infovxuuur.bizwagwovomnj.netwbpciauakl.wswdgeaqrhk.netweekax.cnwpnmravf.ccwycqkpn.cnxakcypzbj.orgxbrpaahhcjl.orgxbtqz.comxfpzmkcl.ccxgdgxusdq.orgxihpmics.netxrbczsuyw.comxyywekmbuuq.netyagcjzafet.cnyjbslycn.orgykzoap.ccyrmek.ccyrmvbwbzlt.wsyryxdaecqwa.infoysuxkcv.comywictoyhzeu.wszdjmcwcknwn.bizzfrcc.orgzjcmnmrpwdp.infozrfdubsgmuq.netztyshleh.biz